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Abstract 


In  this  paper,  we  study  the  application  of  propositional  decision  procedures  in  hardware  veri¬ 
fication.  We  introduce  the  concept  of  bounded  model  checking.  We  show  that  bounded  model 
checking  for  Hnear  temporal  logic  formulas  can  be  reduced  to  propositional  satisfiability.  We  also 
present  several  optimizations  that  reduce  the  size  of  generated  propositional  formulas.  To  demon¬ 
strate  our  approach,  we  have  implemented  a  tool  BMC.  BMC  accepts  a  subset  of  the  SMV  lan¬ 
guage  and  uses  state  of  the  art  SAT  procedures  to  decide  propositional  satisfiability.  As  special 
cases,  equivalence  checking  and  invariant  checking  can  also  be  handled.  In  many  instances,  our 
SAT-based  approach  can  significantly  outperform  BDD-based  approaches.  We  observe  that  SAT- 
based  techniques  are  particularly  efficient  in  detecting  errors  in  both  combinational  and  sequential 
designs. 


1  Introduction 


A  complex  hardware  design  can  be  error-prone  and  mistakes  are  costly.  Formal  verifi¬ 
cation  techniques  such  as  symbolic  model  checking  are  gaining  wide  industrial  accep¬ 
tance.  Compared  to  traditional  validation  techniques  based  on  simulation,  they  provide 
more  extensive  coverage  and  can  detect  subtle  errors.  Representing  and  manipulating 
boolean  expressions  is  critical  to  many  formal  verification  techniques.  BDDs  [2]  have 
traditionally  been  used  for  this  purpose.  In  this  paper,  we  investigate  an  alternative  ap¬ 
proach  based  on  propositional  decision  procedures. 

Model  checking  [4]  is  an  important  technique  for  verifying  sequential  designs.  In 
model  checking,  the  specification  of  a  design  is  expressed  in  temporal  logic  and  the 
implementation  is  described  as  a  finite  state  machine.  Symbolic  model  checking  uses 
boolean  encoding  to  represent  the  finite  state  machine.  By  replacing  explicit  state  rep¬ 
resentation  with  boolean  encoding,  symbolic  model  checking  [3,11]  can  handle  much 
larger  designs  than  explicit  state  model  checking. 

By  introducing  the  concept  of  bounded  model  checking,  we  are  able  to  use  efficient 
propositional  decision  procedures  for  symbolic  model  checking.  In  bounded  model 
checking,  only  paths  of  bounded  length  k  are  considered.  Bounded  model  checking 
is  thus  concerned  with  finding  bugs  (or  counterexamples)  of  limited  length  k.  Given  a 
specification  in  temporal  logic  and  a  finite  state  machine,  we  construct  a  propositional 
formula  which  is  satisfiable  iff  there  is  a  counterexample  of  length  k.  In  practice,  we 
look  for  longer  and  longer  counterexamples  by  incrementing  the  bound  k,  and  after  a 
certain  number  of  iterations,  we  may  conclude  that  no  counterexample  exists  and  the 
specification  holds.  For  example,  to  verify  safety  properties,  the  number  of  iterations  is 
bounded  by  the  diameter  of  the  finite  state  machine. 

There  are  known  tradeoffs  between  SAT  procedures  and  BDDs.  These  tradeoffs 
are  also  reflected  in  SAT-based  model  checkers  and  BDD-based  model  checkers.  In 
particular,  BDDs  are  canonical  representations.  Once  the  BDDs  are  constructed,  oper¬ 
ations  on  two  boolean  expressions  can  be  done  very  efficiently.  On  the  other  hand,  by 
not  using  a  canonical  representation,  SAT-based  model  checkers  avoid  the  exponential 
space  blowup  of  BDDs.  They  can  detect  a  counterexample  without  searching  through 
the  entire  state  space,  BDD-based  approaches  often  require  a  good  variable  ordering. 
The  ordering  is  either  manually  generated  or  by  dynamic  variable  reordering  which 
can  be  time  consuming.  In  SAT-based  model  checkers,  automatic  splitting  heuristics 
are  often  sufficient.  BDDs  require  a  uniform  variable  ordering.  SAT  procedures  allow 
different  splitting  orderings  on  different  branches.  This  often  leads  to  more  efficient 
search.  In  bounded  model  checking,  the  propositional  formula  encodes  the  constraints 
from  the  initial  state  and  the  specification.  Both  these  constraints  can  be  used  to  prune 
the  search. 

Invariant  checking  and  equivalence  checking  can  both  be  treated  as  special  cases  of 
bounded  model  checking.  It  can  be  easily  shown  that  invariant  checking  corresponds 
to  bounded  model  checking  where  the  bound  k  equals  1.  Equivalence  checking  is  a 
special  case  of  bounded  model  checking  where  the  bound  k  equals  0.  The  tradeoffs 
mentioned  earlier  are  also  reflected  in  SAT-based  invariant  checking  and  equivalence 
checking  techniques. 
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We  have  implemented  a  tool  BMC  to  demonstate  our  approach.  It  accepts  a  subset 
of  the  SMV  language  in  which  the  user  can  specify  a  finite  state  machine  and  a  tem¬ 
poral  specification.  Given  a  bound  k,  BMC  outputs  a  propositional  formula  which  is 
satisfiable  iff  there  is  a  counterexample  of  length  L  Currently,  we  use  SATO  [17],  an 
efficient  implementation  of  the  Davis-Putnum  technique,  and  PROVER  [1]  based  on 
Stalmarck’s  Method  [16]  to  decide  propositional  satisfiability.  BMC  can  output  propo¬ 
sitional  formulas  in  either  DIMACS  format  [8]  or  PROVER  format.  If  a  counterexample 
exists,  SATO  or  PROVER  generates  a  model  of  the  propositional  formula  produced  by 
BMC.  We  also  have  developed  a  script  that  translates  the  model  back  to  a  sequence  of 
state  transitions.  We  have  run  a  number  of  examples  using  BMC.  We  show  cases  where 
BMC  detected  a  counterexample  in  seconds  where  BDD-based  approaches  failed  due 
to  memory  limits. 

The  paper  is  organized  as  follows.  In  the  following  section,  we  present  the  con¬ 
cept  of  bounded  model  checking  and  show  the  reduction  of  bounded  model  checking 
to  propositional  satisfiability.  In  section  3,  we  present  a  number  of  optimization  tech¬ 
niques  in  generating  propositional  formulas.  They  help  to  reduce  the  complexity  of  the 
propositional  formula  generated  by  BMC.  In  section  4,  we  show  some  experimental 
results.  We  have  tested  BMC  on  a  number  of  examples  from  symbolic  model  checking, 
invariant  checking  and  equivalence  checking.  Finally,  we  conclude  the  paper  with  some 
directions  for  future  work. 

2  Bounded  model  checking 

We  now  present  our  techniques  for  bounded  model  checking.  First,  we  give  some  back¬ 
ground  and  notational  conventions  that  will  be  used  in  the  rest  of  the  paper.  Then  we  il¬ 
lustrate  our  approach  with  a  simple  example.  Finally,  we  show  the  reduction  of  bounded 
model  checking  to  propositional  satisfiability  for  LTL  formulas  in  general. 


2.1  Background 

The  specification  of  a  system  is  expressed  in  linear  temporal  logic  (LTL).  We  consider 
the  next  time  operator  ‘X’,  the  eventuality  operator  ‘F’,  the  globally  operator  ‘G’,  the 
until  operator  ‘U’,  and  the  release  operator  ‘R*.  To  simplify  our  discussion,  we  consider 
only  existential  LTL  formulas,  i.e.  formulas  of  type  E/  where  E  is  the  existential  path 
quantifier  and  /  is  a  temporal  formula  that  contains  no  path  quantifiers.  Note  that  E  is 
the  dual  of  the  universal  path  quantifier  A.  Finding  a  witness  for  E/  is  equivalent  to 
finding  a  counterexample  for  A-i/. 

The  implementation  of  a  system  is  described  as  a  Kripke  structure.  A  Kripke  struc¬ 
ture  is  a  tuple  M  =  (5,7,  T,  tj  with  a  finite  set  of  states  5,  the  set  of  initial  states  /  C  5,  a 
transition  relation  between  states  T  CSxS,  and  the  labeling  of  the  states  7: 5  -4  ^{Ji) 
with  atomic  propositions  Jl.  In  symbolic  model  checking,  we  assume  that  S  =  {0,1}'* 
and  each  state  can  be  represented  by  a  vector  of  state  variables  s  =  (.s(l ),..., ^(n)) 
where  s{i)  for  i  =  1, . . . ,«  are  propositional  variables.  We  define  propositional  formu¬ 
las  fi{s),  fris^t)  and  fp{s)  as  follows:  fi{s)  iff  j  G  7,  fris.t)  iff  (^,r)  G  7,  and  fp{s) 
iff  p  e  £{s).  For  the  rest  of  the  paper  we  simply  use  T{s,t)  instead  of  fris.t)  etc.  In 
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addition,  we  require  that  every  state  has  a  successor  state.  That  is,  for  all  ^  G  5  there  is 
a  t  G  5  with  (sj)  G  T .  For  (5,^)  G  T  we  also  write  s  t.  For  an  infinite  sequence  of 
states  n=  {so, si,,,,)  v/e  define  n{i)  =  Si  and  7C*  =  (5,-, for  f  G  IN.  An  infinite 
sequence  of  states  7C  is  a  path  if  n{i)  n{i  4- 1)  for  all  i  G  IN, 

An  LTL  formula  E/  is  true  in  a  Kripke  structure  M  (M\=  E/)  iff  there  exists  a  path 
71  in  M  with  7C  /  and  7t(0)  G  /.  Model  checking  is  concerned  with  the  problem  of 
determining  the  truth  value  of  an  LTL  formula  in  a  given  Kripke  structure,  or  equiva- 
lently,  the  problem  of  determining  the  existence  of  a  witness  for  the  LTL  formula.  We 
now  illustrate  bounded  model  checking  with  a  simple  example. 

2.2  Example 


©  — 

Fig.  1,  A  two-bit  counter  with  an  erroneous  transition 


Let’s  consider  a  two-bit  counter.  The  implementation  of  the  counter  is  shown  as  a 
Kripke  structure  in  Figure  1.  There  are  four  states  in  the  Kripke  structure.  Each  state  s  is 
represented  by  two  state  variables  s[l]  and  ^[0],  denoting  the  value  of  the  high  bit  and  the 
low  bit  respectively.  In  the  initial  state,  the  value  of  the  counter  is  0.  Thus  the  initial  state 
predicate  I{s)  is  defined  as  “>^[1]  A  “>^[0].  The  transition  relation  T{s,s')  describes  the 
increment  of  the  counter  at  each  step.  We  define  inc{s,s')  as  (^'[0]  -•^[0])  A  [1]  ^ 

(^[0]  A^l])),  and  we  define  7(^,5')  as  inc{s,s^)  V  (^[1]  A->^[0]  A^'fl]  A->/[0]).  Note  that 
we  deliberately  add  an  erroneous  transition  from  state  (10)  to  itself. 

Suppose  we  are  interested  in  the  fact  that  the  counter  should  eventually  reach  state 
(11).  We  can  specify  the  property  as  AF^,  where  q{s)  is  defined  as  ^[1]  As[0],  Namely, 
for  all  possible  execution  paths,  there  exists  a  state  such  that  q{s)  holds.  Equivalently, 
we  can  check  whether  there  exists  a  path  in  which  the  counter  never  reaches  state  (11). 
The  new  property  is  expressed  as  EG/?,  where  p{s)  is  defined  as  -.^[l]  V  ~i5'[0].  Note  that 
EG/?  is  the  dual  of  AF^. 

In  bounded  model  checking,  we  restrict  our  attention  to  paths  of  length  k,  that  is, 
paths  with  ^  -h  1  states.  We  start  with  A:  =  0,  and  increment  k  until  a  witness  is  found. 
Let’s  consider  the  case  where  k  equals  2.  We  name  the  ^ 4-1  states  as  so,  si,S2-  We  now 
formulate  a  set  of  constraints  on  so,si  and  S2  in  propositional  logic.  The  constraints 
guarantee  that  a  path  consisting  of  ,  ^2  is  indeed  a  witness  of  EG/?,  or  equivalently, 

a  counterexample  for  AF^. 

First,  we  constrain  ^o,  .yi ,  .^2  to  be  a  valid  path  starting  from  the  initial  state.  Unrolling 
the  transition  relation  for  2  steps,  we  derive  the  propositional  formula  [[  M  J  defined  as 
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I{so)  AT{soySi)  A 7(51,52)*  where  I  and  7  are  predicates  for  the  initial  state  and  the 
transition  relation  defined  earlier. 

Second,  we  constraint  the  shape  of  the  path.  The  sequence  of  states  5o,5i  ,52  can  be 
a  loop.  If  so,  there  is  a  transition  from  52  to  the  initial  state  50,  5i  or  itself.  We  use 
defined  as  7(52,5/)  to  denote  the  transition  from  52  to  a  state  5/  where  I  €  [0,2].  To  be 
consistent  with  the  general  translation  in  the  next  section,  we  use  left  subscript  in  ^L. 
We  define  L  as  V?=o  Thus  -»L  denotes  the  case  where  no  loop  exists. 

We  further  constrain  that  the  specified  temporal  property  Gp  holds  on  the  given  path 
so^s\^S2-  In  order  to  be  a  witness  for  Gp,  the  path  must  contain  a  loop.  This  constraint 
has  been  formulated  as  L,  In  addition,  property  p  must  hold  on  every  state  of  the  path. 
We  derive  a  corresponding  propositional  formula  [[  Gp  ]]  defined  as  p(5o)  A  p(5i)  A 
p(52).  In  the  case  where  no  loop  exists,  Gp  does  not  hold  and  [[  Gp  |  is  defined  as 
false.  Finally,  we  combine  all  constraints. 
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|lMlA((-LA/a/5«)vV(,^AlGp]]))  (1) 

/=0 

In  general,  the  constraint  imposed  by  the  temporal  specification  depends  on  the  con¬ 
figuration  of  the  loop.  Thus  in  the  formula  (1),  we  put  [[  Gp  |  within  the  scope  of  the 
disjunction  over  1.  For  our  particular  example  the  constraint  [[  Gp  ]]  is  the  same  for  all 
loop  configurations. 

In  this  example,  the  formula  is  indeed  satisfiable.  The  satisfying  assignment  corre¬ 
sponds  to  a  counterexample  that  is  a  path  from  the  initial  state  (00)  over  (01)  to  (10) 
followed  by  the  self-loop  at  state  (10).  If  the  erroneous  transition  from  state  (10)  to 
itself  is  removed  then  formula  (1)  becomes  unsatisfiable. 


23  TVanslation 

Given  a  Kripke  structure  M,  an  LTL  formula  /  and  a  bound  k,  we  will  construct  a 
propositional  formula  [[  Af,/  ]|^.  The  variables  5o, .  • .  ,5jt  in  [[  M,/ denote  a  finite  se¬ 
quence  of  states  on  a  path  n.  Each  5/  is  a  vector  of  state  variables.  The  formula  I M,/ 
represents  constraints  on  5o, . . . , 5jt  such  that  [[  M ,/  is  satisfiable  iff  /  is  valid  along 

7C.  To  construct  [[  M,/  jj^^,  we  first  define  a  propositional  formula  H  M  that  constrains 
5o , . .  • ,  5jt  to  be  on  a  valid  path  n  in  M.  Second,  we  give  the  translation  of  an  LTL  formula 
/  to  a  propositional  formula  that  constrains  n  to  satisfy  /. 

Defiiiition  1  (Unfolding  the  Transition  Relation).  For  a  Kripke  structure  Af,  E  IN 


Jt-i 

•=  A-^O)  A  /\  7(5/,5/+i) 

1=0 

Depending  on  whether  a  path  is  a  k4oop  or  not  (see  Figure  2),  we  have  two  different 
translations  of  the  temporal  formula/.  In  Definition  2  we  describe  the  translation  if  the 
path  is  not  a  loop.  The  translation  “[  •  ]|]^”  maps  an  LTL  formula  into  a  propositional 
formula.  The  parameter  k  is  the  len^  of  the  prefix  of  the  path  that  we  consider  and 
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Si  Si  Sk 

(a)  no  loop  (b)  (A:,/)>loop 


Fig.  2.  The  two  cases  for  a  bounded  path. 


i  is  the  current  position  in  this  prefix  (see  Figure  2(a)).  When  we  recursively  process 
subformulas,  i  changes  but  k  stays  the  same. 

Consider  the  formula  h:=  p\]  q  and  a  path  n  that  is  not  a  A:-loop  for  a  given  ^  G  IN 
(see  Figure  2(a)).  Starting  at  for  i  G  IN  with  i<ktht  formula  h  is  valid  along  tc*  with 
respect  to  the  bounded  semantics  iff  there  is  a  position  j  with  i  <  j  <k  and  q  holds 
at  n{j).  In  addition,  for  all  states  n{n)  with  n  G  IN  starting  at  7c(f)  up  to  n{j  -  1)  the 
proposition  p  has  to  be  fulfilled.  Therefore  the  translation  is  simply  a  disjunction  over 
all  possible  positions  j  at  which  q  eventually  might  hold.  For  each  of  these  positions 
a  conjunction  is  added  that  ensures  that  p  holds  along  the  path  from  n{i)  to  n{j  —  1). 
Similar  reasoning  leads  to  the  translation  of  the  other  temporal  operators. 


Definition  2  (Translation  of  an  LTL  Fomiiila  without  a  Loop).  For  an  LTL  formula 
f  and  k,  i  G  IN,  with  i  <  k 


ipt 

[[G/ii 

IX/ 1' 
I/Rgll 


Pi^i)  I  “'Pit  :=  -'Pisi) 

Iftnst  I/V^K  :=  I/Ilvl^ll 

false  im‘k  ■=  V5=,-I/Ii 

if  i<k  then  I/ljt^^  else  false 

v;^(i/kaaL[[sc) 


Now  we  consider  the  case  where  the  path  is  a  Moop.  The  translation  of  an 

LTL  formula  depends  on  the  current  position  i  and  on  the  length  of  the  prefix  k.  It  also 
depends  on  the  position  where  the  loop  starts  (see  Figure  2(b)).  This  position  is  denoted 
by  I  for  Zoop. 


Definition  3  (Successor  in  a  Loop).  Let  k,l,i  e  IN,  with  l,i  <  k.  Define  the  successor 
succ(Z)  ofi  in  a  {k,l)-loop  as  sacc{i)  :=  i+lfori  <kandmcc{i)  :=  lfori  =  k. 
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Definition  4  (Translation  of  an  LTL  Formula  for  a  Loop).  Let  f  be  an  LTL  formula, 
k,  f  i  E  IN,  with  /,  i  <  k. 


/ipii 

P{si) 

/I  “■pit  := 

/i/Afli 

•=  /I/Ia  a 

/I/V^ll  := 

/i/ii  V 

o 

1 — 1 

A*=mm(/,/)  /I /I* 

/IF/Il 

V5..*|y,  ,I/K 

/IX/ 1' 

:=  /I/ir"’^ 

l/ugll 

V5=,(,tt«KAA^-! 

ilffk)  V 

VP)(,I«KaaL- 

/I /I*  ^  ^i=i 

•=  A*=nun(i,/)  /I^Iit  V 

yj=i  ( /[/l^  ^  /[[^K )  ^ 

V}=/  ( /[[/K  ^  AJ=i  i^sYk  ^  ) 


The  translation  of  the  formula  depends  on  the  shape  of  the  path  (whether  it  is  a  loop 
or  not).  We  now  define  a  loop  condition  to  distinguish  these  cases. 

Definition  5  (Loop  Condition).  Forkf  E  IN,  let  /Ljt  :=  T{sk,si),  :=  V?=o  i^k 

Definition  6  (General  IVanslation).  Let  f  be  an  LTL  formula,  M  a  Kripke  structure 
and  kEJN 

V  V  (/UA,[[/I”) 

The  left  side  of  the  disjunction  is  the  case  where  there  is  no  back  loop  and  the 
translation  without  a  loop  is  used.  On  the  right  side  all  possible  start  positions  /  of  a 
loop  are  tried  and  the  translation  for  a  (fc,/)-loop  is  conjuncted  with  the  corresponding 
iLk  loop  condition.  The  following  theorem  shows  the  correctness  of  our  translation. 

Theorem  1.  M  [=  E/  Af,/  is  satisfiable  for  some  A:  €  IN. 

3  Conversion  to  CNF 

Many  propositional  decision  procedures  assume  the  input  problem  to  be  in  conjunctive 
normal  form.  In  this  section,  we  focus  on  techniques  for  converting  arbitrary  boolean 
formulas  to  conjunctive  normal  form.  In  particular,  we  investigate  optimization  tech¬ 
niques  that  reduce  the  number  of  variables  and  clauses  in  the  CNF  generated.  Satisfia¬ 
bility  test  for  propositional  problems  is  NP-complete.  All  known  propositional  decision 
procedures  are  exponential  in  the  worst  case.  However,  they  may  use  different  heuristics 
in  guiding  their  search  and  exhibit  different  complexity  in  subsets  of  the  propositional 
problems.  Precise  characterizations  of  the  “hardness”  of  propositional  problems  is  dif¬ 
ficult  and  is  likely  to  be  dependent  on  specific  propositional  decision  procedures  used. 
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Reducing  the  size  of  CNF  may  not  always  reduce  the  complexity  of  the  problem.  Our 
optimization  techniques  are  heuristics  in  nature  as  well.  Experimental  results  show  that 
these  optimization  techniques  reduce  the  size  of  the  CNF  as  well  as  the  time  for  satisfi¬ 
ability  test. 

A  formula  /  in  conjunctive  normal  form  is  represented  as  a  set  of  clauses,  each 
clause  is  a  set  of  literals,  and  each  literal  is  either  a  positive  or  negative  proposi¬ 
tional  variable.  In  other  words,  a  formula  is  a  conjunction  of  clauses,  and  a  clause 
is  a  disjunction  of  literals.  For  example,  ((a  V  V  c)  A  V  is  represented  as 
{{a,  Conjunctive  normal  form  is  also  referred  to  as  clause  form. 

Given  a  boolean  formula  /,  one  may  replace  boolean  operators  in  /  with  A  and 
V  and  apply  distributivity  rule  and  De  Morgan’s  law  to  convert  /  into  its  conjunctive 
normal  form  fcNF-  The  size  of  /cnf  can  be  exponential  with  respect  to  the  size  of  /. 
For  example,  the  worse  case  occurs  when  /  is  in  disjunctive  normal  form.  To  avoid  the 
exponential  explosion,  we  use  a  structure  preserving  clause  form  transformation  [14]. 


procedure  bool-to-cnf(/,v/) 

{ 

if  (cached(/,v))  return(clause(v/  -h*  v)); 
case 

atomic(/) :  return(clause(/^  v/)); 

fzzzzhog: 

C\  =  bool-to-cnf(/i,v/j); 

C2  =  bool-to-cnf(g,Vg); 
assert(cached(/,v f))\ 
return(clause(vy  Vg) U Ci  U C2); 
ease; 

} 

Fig.  3.  An  algorithm  for  generating  conjunctive  normal  form.  /,  g  and  h  are  boolean  formulas,  v, 
Vft  and  Vg  are  boolean  variables,  ‘o*  represents  a  boolean  operator. 


Figure  3  outlines  our  procedure.  Given  a  boolean  formula  /,  hool-to-cnf(f  .true)  re¬ 
turns  a  set  of  clauses  C  which  is  satisfiable  iff  /  is  satisfiable.  The  procedure  traverses 
the  syntactical  structure  of  /,  introduces  a  new  variable  (e.g.  v/,,  Vg)  for  each  subex¬ 
pression,  and  generates  clauses  that  relate  the  new  variables.  If  u  and  v  are  boolean 
variables,  v  is  equivalent  to  If  v,  v/,,  Vg  are  boolean  variables 

and  ‘o’  is  a  boolean  operator,  v  (v/,  o  Vg)  has  a  logically  equivalent  clause  form  with 
no  more  than  4  clauses,  each  of  which  contains  no  more  than  3  literals.  Note  that  C  is 
not  logically  equivalent  to  the  original  formula  /,  but  it  preserves  the  satisfiability  of  /. 

We  represent  a  boolean  formula  /  as  a  directed  acyclic  graph  (DAG),  i.e.,  common 
subterms  of  /  are  shared.  The  DAG  representation  is  important  in  practice.  For  ex¬ 
ample,  the  size  of  formula  inc{a)  is  linear  with  a  DAG  representation,  and  is  quadratic 
otherwise.  In  the  procedure  bool-to-cnf( j,  we  preserve  the  sharing  of  subterms.  Namely, 
for  each  subterm  in  /,  only  one  set  of  clauses  is  generated.  The  sharing  is  reflected  in 
line  1  of  bool-to-cnf.  For  any  boolean  formula/,  bool-to-cnf(f  .true)  generates  a  clause 
set  C  with  0{\f\)  variables  and  0(|/|)  clauses,  where  |/|  is  the  size  of  DAG  for/. 
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In  Figure  3,  we  assume  that  /  only  involves  binary  operators.  Unary  operator,  i.e, 
negation,  can  be  handled  similarly.  We  also  extended  the  procedure  to  handle  operators 
with  multiple  operands.  In  particular,  we  treat  conjunction  and  disjunction  as  N-ary 
operators.  For  example,  let  us  assume  that  vy  represents  the  formula  A?=o^*-  ^h®  clause 
form  for  v/  ^  A"=o<<  «  If  we 

treat  A  as  a  binary  operator,  we  need  to  introduce  n—1  new  variables  for  the  subterms  in 
A”=o  Por  instance,  with  this  optimization,  the  comparison  between  two  1 6  bit  registers 
r  and  s  occurring  as  a  subformula,  A?io('*M  ^  converted  into  clause  form 

without  introducing  new  variables. 


4  Experimental  Results 

We  have  implemented  a  model  checker  BMC  based  on  bounded  model  checking.  Its 
input  language  is  a  subset  of  the  SMV  language  [1 1].  It  outputs  a  propositional  formula. 
Two  different  formats  for  the  propositional  formula  are  supported.  The  first  format  is 
the  DIM  ACS  format  [8]  for  satisfiability  problems.  The  SATO  tool  [17]  is  an  efficient 
implementation  of  the  Davis  &  Putnam  Procedure  [6]  and  it  uses  the  DIMACS  format. 
We  also  support  the  input  format  of  the  PROVER  Tool  [  1  ]  which  is  based  on  Stilmarck’s 
Method  [16].  As  comparisons,  we  use  the  official  version  of  the  CMU  model  checker 
SMV  and  a  version  by  Bwolen  Yang  from  CMU  with  improved  support  for  conjunctive 
partitioning.  We  refer  to  them  as  SMViand  SMV2respectively. 


4.1  Model  Checking 

As  benchmarks  we  chose  examples  that  are  difficult  for  BDD-based  approaches.  First 
we  investigated  a  sequential  multiplier,  the  shift  and  add  multiplier  of  [5].  We  formu¬ 
lated  as  model  checking  problem  the  following  property:  when  the  sequential  multiplier 
is  finished  its  output  is  the  same  as  the  output  of  a  combinational  multiplier  (the  C6288 
circuit  from  the  ISCAS’85  benchmarks)  applied  to  the  same  input  words.  These  mul¬ 
tipliers  are  16x16  bit  multipliers  but  we  only  allowed  16  output  bits  as  in  [5]  together 
with  an  overflow  bit.  We  proved  the  property  for  each  output  bit  individually  and  the 
results  are  shown  in  Table  1.  Note  that  the  overflow  bit  depends  on  all  the  bits  of  the 
sequential  multiplier  and  occurs  in  the  specification.  Thus,  the  cone  of  influence  reduc¬ 
tion  could  not  remove  anything.  For  BDD-based  model  checkers,  we  used  a  manually 
chosen  variable  ordering  where  the  bits  of  registers  are  interleaved.  Dynamic  reordering 
failed  to  find  a  considerably  better  ordering  in  a  reasonable  amount  of  time. 

In  [10]  an  asynchronous  circuit  for  distributed  mutual  exclusion  is  described.  It  con¬ 
sists  of  n  cells  for  n  users  that  want  to  have  exclusive  access  to  a  shared  resource.  We 
proved  the  liveness  property  that  a  request  for  using  the  resource  will  eventually  be 
acknowledged.  This  liveness  property  is  only  true  if  each  asynchronous  gate  does  not 
delay  execution  indefinitely.  We  model  this  assumption  by  a  fairness  constraint  for  each 
individual  gate.  Each  cell  has  exactly  18  gates  and  therefore  the  model  has  n  •  18  fairness 
constraints  where  n  is  the  number  of  cells.  Since  we  do  not  have  a  bound  for  the  max¬ 
imal  length  of  a  counterexample  for  the  verification  of  this  circuit  we  could  not  verify 
the  liveness  property  completely.  We  only  showed  that  there  are  no  counterexamples  of 
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bit 

SMVi 
sec  MB 

SMV2 
sec  MB 

SATO 
sec  MB 

PROVER 
sec  MBI 

0 

919 

13 

25 

79 

0 

0 

0 

1 

1 

1978 

13 

25 

79 

0 

0 

0 

1 

2 

2916 

13 

26 

80 

0 

0 

0 

1 

3 

4744 

13 

27 

82 

0 

0 

1 

2 

4 

6580 

15 

33 

92 

2 

0 

1 

2 

5 

10803 

25 

67 

102 

12 

0 

1 

2 

6 

43983 

73 

258 

172 

55 

0 

2 

2 

7 

>17h 

1741 

492 

209 

0 

7 

3 

8 

>1GB 

473 

0 

29 

3 

9 

856 

1 

58 

3 

10 

1837 

1 

91 

3 

11 

2367 

1 

125 

3 

12 

3830 

1 

156 

4 

13 

5128 

1 

186 

4 

14 

4752 

1 

226 

4 

15 

4449 

1 

1  183 

5 

sum 

71923 

2202 

23970 

1066  1 

Table  1, 16x16  bit  sequential  shift  and  add  multiplier  with  overflow  flag  and  16  output  bits  (sec 
=  seconds,  MB  =  Mega  Byte). 


particular  length  k.  To  illustrate  the  performance  of  bounded  model  checking  we  have 
chosen  A:  =  5, 10.  The  results  can  be  found  in  Table  2. 

We  repeated  the  experiment  with  a  buggy  design.  For  the  liveness  property  we  sim¬ 
ply  removed  several  fairness  constraints.  Both  PROVER  and  SATO  generate  a  coun¬ 
terexample  (a  2-loop)  instantly  (see  Table  3). 


4.2  Invariant  Checking 

Safety  properties  can  be  verified  by  providing  an  inductive  invariant  that  has  to  hold  at 
the  initial  state,  is  preserved  by  the  transition  relation  and  implies  the  safety  property 
[7].  These  three  conditions  can  all  be  formulated  as  propositional  satisfiability  problems 
and  verified  by  a  propositional  decision  procedure.  We  implemented  this  approach  in  the 
tool  BMC  as  follows.  The  user  formulates  the  model  as  usual  and  specifies  the  invariant 
as  a  safety  property  (with  AG).  Then  BMC  generates  two  instances  of  a  satisfiability 
problem.  One  formula  for  checking  that  the  invariant  is  preserved  by  the  transition 
relation  and  another  formula  for  checking  that  the  invariant  holds  initially.  The  third 
condition  has  to  be  formulated  by  the  user. 

As  an  example  for  this  technique  we  verified  that  two  different  implementations  of 
a  queue  of  a  particular  length  behave  the  same.  This  example  is  taken  from  [12]  and  it  is 
known  that  no  variable  ordering  exists  such  that  the  (RO)BDDs  for  the  set  of  reachable 
states  remain  small.  In  columns  SMVi  and  SMV2,  we  used  two  versions  of  SMV  to 
verify  the  safety  property  that  the  outputs  of  the  two  queues  are  always  the  same.  In 
the  other  experiments  of  Table  4  an  invariant  was  used  that  relates  the  contents  of  the 
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cells 

SMVi 

sec  MB 

SMV2 

sec  MB 

SATO 
*  =  5 
sec  MB 

PROVER 
k  =  5 
sec  MB 

SATO 
^=10 
sec  MB 

PROVER 

10 

sec  MB 

4 

846 

11 

159 

217 

0 

3 

1 

3 

3 

6 

54 

5 

5 

2166 

15 

530 

703 

0 

4 

2 

3 

9 

8 

95 

5 

6 

4857 

18 

1762 

703 

0 

4 

3 

3 

7 

9 

149 

6 

7 

9985 

24 

6563 

833 

0 

5 

4 

4 

15 

10 

224 

8 

8 

19595 

31 

>1GB 

1 

6 

6 

5 

16 

12 

323 

8 

9 

>10h 

1 

6 

9 

5 

24 

13 

444 

9 

10 

1 

7 

10 

5 

36 

15 

614 

10 

11 

1 

8 

13 

6 

38 

16 

820 

11 

12 

1 

9 

16 

6 

40 

18 

1044 

11 

13 

1 

9 

19 

8 

107 

19 

1317 

12 

14 

1 

10 

22 

8 

70 

21 

1634 

14 

15 

!  1 

11 

27 

8 

168 

22 

1992 

15 

Table  2.  Liveness  for  one  user  in  the  DME  (sec  =  seconds,  MB  =  Mega  Bytes). 


cells 

SMVi 
sec  MB 

SMV2 
sec  MB 

SATO 
sec  MB 

PROVER 
sec  MB 

4 

799 

11 

14 

44 

0 

1 

0 

2 

5 

1661 

14 

24 

57 

0 

1 

0 

2 

6 

3155 

21 

40 

76 

0 

1 

0 

2 

7 

5622 

38 

74 

137 

0 

1 

0 

2 

8 

9449 

73 

118 

217 

0 

1 

0 

2 

9 

segmentation 

172 

220 

0 

1 

1 

2 

10 

fault 

244 

702 

0 

1 

0 

3 

11 

413 

702 

0 

1 

0 

3 

12 

719 

702 

0 

2 

1 

3 

13 

843 

702 

0 

2 

1 

3 

14 

1060 

702 

0 

2 

1 

3 

15 

1429 

702 

0 

2 

1 

3 

Table  3.  Counterexample  for  liveness  in  a  buggy  DME  (sec  =  seconds,  MB  =  Mega  Bytes). 
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two  queues.  As  discussed  above,  three  conditions  have  to  be  verified  for  each  particular 
length  of  the  queues.  Beside  propositional  decisions  procedures  (see  columns  SATO 
and  PROVER  in  Table  4),  we  also  used  model  checking,  similar  to  [7],  to  prove  their 
correctness  (see  columns  SMV3  and  SMV4). 

These  experiments  indicate  that  invariant  checking  can  handle  larger  designs  than 
traditional  fixpoint  computations.  This  result  also  applies  to  BDD-based  approaches  but 
the  real  potential  of  invariant  checking  becomes  apparent  when  used  in  combination 
with  propositional  decision  procedures. 


L 

SMVi 
sec  MB 

SMV2 
sec  MB 

SMV3 
sec  MB 

SMV4 
sec  MB 

SATO 
sec  MB 

PROVER 
sec  MB 

12 

18 

10 

4 

55 

11 

17 

7 

51 

60 

7 

9 

2 

13 

44 

13 

6 

60 

29 

20 

11 

56 

68 

8 

11 

2 

14 

109 

19 

11 

70 

37 

27 

20 

65 

287 

12 

15 

2 

15 

291 

31 

18 

86 

82 

40 

36 

81 

102 

10 

19 

2 

16 

711 

55 

43 

196 

207 

66 

80 

197 

411 

6 

6 

2 

17 

2126 

102 

159 

393 

573 

119 

191 

393 

1701 

16 

45 

3 

18 

6103 

195 

459 

753 

1857 

223 

422 

754 

302 

14 

58 

3 

19 

23405  383 

1491 

920 

5765 

430 

1101 

817 

1551 

20 

70 

3 

20 

>17h 

>1GB 

30809 

845 

9136 

977 

1377 

20 

86 

3 

21 

>1GB 

>1GB 

>40h 

99 

3 

22 

120 

3 

23 

149 

4 

24 

167 

4 

Table  4,  Comparison  between  queues  (L  =  length  of  queues,  SMV3  =  SMVi  with  invariant 
checking,  SMV4  =  SMV2  with  invariant  checking,  MB  =  Mega  Byte,  sec  =  seconds).  In  the  case 
of  invariant  checking  the  accumulated  time  and  the  maximal  memory  requirements  are  shown. 


4.3  Equivalence  Checking 

Recently,  there  has  been  a  lot  of  progress  in  boolean  equivalence  checking[9, 13].  State- 
of-the-art  equivalence  checkers  can  handle  designs  with  more  than  1  million  gates. 
These  tools  utilize  the  correspondence  between  internal  signals  and  partition  large  cir¬ 
cuits  into  much  smaller  ones.  If  the  two  circuits  to  be  compared  have  significantly  differ¬ 
ent  structures,  equivalence  checkers  can  perform  poorly,  even  on  much  smaller  designs 
(less  than  lOK  gates).  Most  equivalence  checkers  are  BDD-based.  We  have  investigated 
how  propositional  decision  procedures  (SAT  procedures)  can  be  used  instead  of  BDDs 
for  checking  equivalence. 

To  determine  if  two  given  circuits  are  equivalent,  we  use  BMC  to  convert  the  equiv¬ 
alence  checking  problem  to  a  propositional  satisfiability  problem.  The  output  of  BMC 
is  a  formula  in  CNF  which  is  fed  into  SATO.  We  observed  that  SATO  can  verify  almost 
all  designs  with  less  than  lOK  gates,  even  if  the  two  circuits  are  significantly  different. 
In  Table  5,  we  list  some  industrial  circuits  that  cannot  be  processed  by  state-of-the-art 
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equivalence  checkers  (based  on  BDDs  and  similarity  of  the  two  circuits)  but  that  can 
be  verified  by  SATO.  In  all  cases,  state-of-the-art  equivalence  checkers  cannot  finish 
within  one  day. 


Circuit 

#ins 

#outs 

#gates 

sec 

Industryl 

203 

8 

738 

233 

Industry2 

317 

232 

15242 

8790 

IndustryS 

96 

32 

1032 

210 

Table  5.  Equivalence  checking  using  SAT  procedures  (sec  =  seconds). 


In  our  first  example,  Industry  1,  the  logic  of  one  circuit  has  been  considerably  opti¬ 
mized  and  the  other  is  unoptimized.  The  structure  of  the  two  circuits  is  quite  different 
and  BDDs  cannot  be  built  for  them  because  of  their  complex  logic  functionality.  SATO 
finishes  the  verification  in  four  minutes. 

In  the  second  case,  Industry2,  because  of  the  size  and  the  dissimilarity  of  the  two 
circuits,  we  never  expected  the  verification  to  finish.  The  result  suggests  that  efficient 
SAT  procedures  have  real  potential  in  handling  hard  equivalence  checking  problems. 
For  both  Industryl  and  Industry2,  we  applied  logic  optimization  using  SIS  [15]  on  the 
circuits  before  submitting  them  for  equivalence  checking.  This  extra  step  of  logic  op¬ 
timization  greatly  speeds  up  our  verification.  Without  it,  Industryl  takes  8246  seconds 
and  Industry2  takes  more  than  1  day.  The  use  of  logic  transformation  to  speed  up  SAT 
procedures  seems  promising  for  future  research. 

IndustryS  is  another  particularly  interesting  example.  In  the  two  circuits  that  are 
compared,  some  outputs  are  not  equivalent.  However,  only  a  small  fraction  of  the  in¬ 
put  patterns  can  differentiate  the  two  circuits  (2^®  out  of  2^^).  There  is  little  hope  that 
random  simulation  can  identify  the  non-equality.  Also,  due  to  their  complex  logic  func¬ 
tionality,  BDDs  cannot  be  built  for  the  circuits.  SATO  could  identify  counterexamples 
in  a  few  seconds  for  every  non-equivalent  output!  SATO’s  heuristics  to  generate  case¬ 
splitting  variables  work  very  well  in  this  case.  This  example  supports  our  belief  that 
S AT-based  approaches  can  detect  errors  efficiently. 


5  Conclusion 


Our  results  demonstrate  the  potential  of  SAT-based  techniques  in  various  domains  of 
hardware  verification.  We  believe  that  SAT-based  approaches  complement  the  existing 
BDD-based  approaches  well.  There  are  some  promising  directions  of  future  research. 
Optimization  techniques  in  generating  propositional  formulas  need  to  be  further  inves¬ 
tigated.  Previous  work  from  other  fields  such  as  artificial  intelligence  may  be  relavant  as 
well.  Also,  heuristics  of  SAT  procedure  need  to  be  studied  for  the  domain  of  hardware 
verification.  For  instance,  in  BDDs,  interleaving  the  bits  often  provides  a  good  variable 
ordering.  Similar  techniques  may  work  well  as  splitting  heuristics  for  SAT  procedures. 
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